Giters

deepfence / SecretScanner

:unlock: :unlock: Find secrets and passwords in container images and file systems :unlock: :unlock:

Home Page:https://deepfence.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Json File Output Options Change

juntaozeng opened this issue · comments

commented

Encountered an error while running the deepfenceio/deepfence_secret_scanner:2.0.0 docker image.

flag provided but not defined: -output-path

Noticed that 2 related json output options were remove from an earlier PR https://github.com/deepfence/SecretScanner/pull/97/files

  • json-filename and
  • output-path

However, those options are still being used / referenced in some docs. They probably should be updated so as not to cause confusions.

E.g.

SecretScanner/docs/docs/secretscanner/quickstart.md

Line 39 in 97a7eb4

--image-name node:latest --json-filename=node-secret-scan.json

Side note, slightly curious about the reason behind the sudden change removing json output support, I didn't find much explanation / change info from the PR itself.

commented

Hello @juntaozeng

Thank for reporting the issue, we removed the flag to make thing uniform across all our plugins( https://github.com/deepfence/YaraHunter, https://github.com/deepfence/package-scanner and https://github.com/deepfence/SecretScanner)

The docs are updated to reflect the supported flags in the PR #107

commented

How can I generate a plain json file as output? I run deepfence via docker-compose:

docker-compose.yml

version: "3.6"

services:
  deepfence:
    image: deepfenceio/deepfence_secret_scanner:latest
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./deepfence/:/home/deepfence/output
    entrypoint: /bin/sh -c "/home/deepfence/usr/SecretScanner -config-path /home/deepfence/usr -image-name=${IMAGE} -output=json > output.json"
    command: ""

And even though I don't redirect stderr to the file, I get:
output.json

Initializing....
Scanning image user/repo for secrets...
Scanning image /tmp/Deepfence/SecretScanning/userrepo/save-output.tar for secrets...
summary:
  total=0 high=0 medium=0 low=0

{
  "Timestamp": "2023-10-11T23:31:17.192741222Z",
  "Image Name": "user/repo",
  "Image ID": "f28ffd78641197871fea8fd679f2bf8a1cdafa4dc3f1ce3e700ad964aac2879a",
  "Container ID": "",
  "Secrets": null
}

which can't be parsed as json. Adding the flag -debug-level FATAL also didn't help...
What is the intended usage here?

commented

hi @timobrembeck, the recommended usage is to execute docker run as shown below this outputs json to stdout which can be redirected to a file

this gets json output to stdout

docker run -i --rm --name=deepfence-secretscanner \
-v /var/run/docker.sock:/var/run/docker.sock \
deepfenceio/deepfence_secret_scanner:2.0.0 \
-image-name node:8.11 --output json

this redirects json from stdout to file node.json

docker run -i --rm --name=deepfence-secretscanner \
-v /var/run/docker.sock:/var/run/docker.sock \
deepfenceio/deepfence_secret_scanner:2.0.0 \
-image-name node:8.11 --output json > node.json

docker-compose usage is not recommended